As the date of the release of the final version of Internet Explorer 11 for Windows 8 and RT draws near, Microsoft has announced that it has paid out over $28,000 to six researchers who have successfully participated in the month-long bug bounty program for IE 11.
Launched on June 26 and set to last until July 26, the aim of the program was to receive information about vulnerabilities while the new version of the browser is still in the Preview period, so that they could be fixed before the final version is actually released.
According to the honor roll, the researchers who submitted qualifying vulnerabilities were:
- James Forshaw of Context Security, who earned a total of $9,400 for four flaw and one design-level vulnerability
- Jose Antonio Vazquez Gonzalez of Yenteasy – Security Research, who received a total of $5,500 for five IE flaws
- Independent researcher Masato Kinugawa – $2,200 for two flaws
- Google researchers Ivan Fratric and Fermin J. Serna – $1,100 and $500, respectively, for three bugs, and
- Peter Vreugdenhil of Exodus Intelligence received an undisclosed amount (if my calculations are right, around $10,000) for what must have been a serious IE 11 flaw.
“We’ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure,” commented Katie Moussouris, Senior Security Strategist at the MSRC.
“The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer,” she pointed out, and added that they consider this particular bug bounty program a great success, as the first 30 days of the IE 10 beta period passed without any vulnerabilities having been reported.
The other two bounty programs launched on June 26 – for “truly novel” exploitation techniques against protections built into the latest version of Windows OS, and for defensive ideas for solving these Mitigation Bypass submission – are still ongoing.
UPDATE: Microsoft has announced that James Forshaw of Context Security has earned himself an additional bounty of $100,000 for finding and responsibly disclosing a Mitigation Bypass vulnerability and creating an exploit for it.
No indication was given about the type of mitigation technique (ASLR, DEP, SEHOP, metadata integrity checks, etc.) it bypasses.